The U.S. Department of Justice announced on June 2 that the agency had cooperated with international law enforcement groups and private companies to disrupt the operations of two major online threats, the Gameover Zeus botnet and the Cryptolocker ransomware the botnet distributed.
The Gameover Zeus Trojan compromises computer systems, putting them under control of a criminal group based out of Russia and the Ukraine. The infected computers join a peer-to-peer botnet, allowing the criminal operators to steal confidential information and passwords, as well as install additional malicious software. Cryptolocker, one of the programs installed by Gameover Zeus, encrypts users’ data and then demands a ransom in exchange for the encryption key.
Cracking the complexity of the botnet and finding leads on the group behind it made the law enforcement action the most complex to date, involving government agencies from a dozen nations and nearly 20 private companies and academic organizations.
“We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world,” U.S. Deputy Attorney General James M. Cole said in a statement announcing the operation.
The Gameover Zeus botnet has caused more than $100 million in damages and compromised an estimated 500,000 to 1 million computers, a quarter of which likely reside in the United States, according to the Department of Justice. Cryptolocker has infected more than 234,000 computers, of which half are in the United States, and gained its operators more than $27 million in ransom payments, the DOJ stated.
As part of the operation, two district courts in the United States indicted a 30-year-old Russian citizen, Evgeniy Mikhailovich Bogachev, with criminal charges and a civil injunction, naming him a leader of the gang of criminals responsible for both Gameover Zeus and Crytolocker.
Dell Secureworks, which aided law enforcement officials in both investigations, agreed that a single group was behind the attacks. The group did not sell the Gameover software, like some underground groups did with other variants of Zeus, but rented out the resulting botnet, Brett Stone-Gross, senior security researcher at Secureworks’ Counter Threat Unit, told eWEEK.
As a peer-to-peer botnet, Gameover was very difficult to take down. Moreover, the botnet could be reconstituted, but not without some effort, he said.
“There is nothing stopping them from recreating the botnet from scratch,” Stone-Gross said. “That is something that we have seen time and again.”
As part of the operation, the Department of Justice also obtained court orders to allow it to take measures to intercept traffic from infected computers and redirect them to clean servers that can direct victims on how to clean their systems.
No law enforcement agency accessed the content of victim’s computers or communications, according to the U.S. Department of Justice. Microsoft aided in formulating a response to Gameover Zeus, the company said in a statement.
“Microsoft’s role in this technical action was to conduct analysis on the P2P network and develop a cleaning solution … and work closely with global Community Emergency Response Teams (CERTs) and Internet service providers (ISPs) to help owners of compromised computers regain control of their systems,” Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, said in the statement.
Law enforcement agencies from Australia, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, New Zealand, Ukraine and the United Kingdom cooperated with the European Cybercrime Centre and the U.S. Department of Justice to conduct the operation.
Companies that aided in the technical analysis of the botnet and ransomware attack included CrowdStrike, Deloitte Cyber Risk Services, McAfee, Microsoft, Neustar and Symantec as well as Carnegie Mellon University and the Georgia Institute of Technology.